You are not logged in.
Pages: 1
Tobias is a well-known contrarian who has not contributed his talents to Devuan.
I do make sure to use my real name in everything I say about Devuan. You know me, you can block me at any time if I annoy you.
So don't hold your breath . . .
Hmm, the hint that this work-around might not be as robust as promised on recent Devuan releases is at least not harmful IMHO.
This solution was considered robust enough for every distribution from Fedora to Debian until they switched to systemd.
I guess that was back when udev did not kill processes. There were issues with this as processes tended to accumulate and stuff.
Of course you can not sandbox processes started by udev via RUN, which is trivial using other means I will not name here.
Do you have a better solution?
I can think of several options:
stick with an old version of udev that still allows this
use a udev replacement that does not have this problem
write something that watches udev and starts/stops things for it
Unfortunately all of these require the distribution to put in effort, which makes all of them rather unsuited as a quick work-around.
The udev manual states that RUN "can only be used for very short-running foreground tasks" and that udev may kill tasks that run too long or try to double-fork.
So this suggestion is not a robust solution.
The second step will cause the X server to be started as root, which is a really bad idea(TM). The first step might already do that (since Xwrapper defaults to "auto").
https://media.ccc.de/v/30C3_-_5499_-_en … n_sprundel has an introduction to X server security.
That change means that the entire X server will be started with root rights. The X server is full of decade old cruft that was written without giving any regard to security and any of that can be triggered by any connected application. You are trashing decades of work to make the Linux GUI safer:-)
https://media.ccc.de/v/30C3_-_5499_-_en … n_sprundel has a presentation on the state of security in the X server. There is a follow-up somewhere, but I can not find it right now:-)
Check https://ci.devuan.org/view/All/builds: All builds Devuan developers are listed there (both the successful ones and the failed attempts). Note that only the packages changed by Devuan will show up in this list. The vast majority of packages is taken straight from Debian servers without any changes applied. From what I understand the process of importing packages from Debian to Devuan does not take all Debian security repositories into account right now though (IIRC Jessie is covered though). This is planned to get fixed in the next version of the merge server.
For now, you better double-check ci.devuan.org for the last successful build of Devuan packages effected by Debian security updates. You might want to also check that the security updates from Debian actually reach your system.
Pages: 1